Joined: 29 Oct 2017
|Posted: Sun Oct 29, 2017 9:20 pm Post subject: Captive Portal X509 CommonName
|ZS has the option to use the commonName from an X509 certificate instead of the IP address of the server in the redirect and popups.
The latest X509 recommendation is to not use a FQDN as a commonName, but instead add the FQDN to the SubjectAlternateName extensions. Meanwhile, the commonName should be an unique text.
However, if text (as opposed to a FQDN) is used for a certificate's commonName, the redirect will fail. What's worse - if this text has a space the captive portal will not start.
I believe the Use CN to redirect should be replaced with either:
- text box where the administrator can enter the FQDN
- the FQDN of the server
- a selection of all the SubjectAlterateNames from within the X509 certificate.
The latest browsers ignore FQDN in the commonName field and only look in the SubjectAlternateName extension; therefore this option is deprecated.